Feature #7012
openAdd dns.response sticky buffer
Description
Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.
- the "name" field in each record
- the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...
I plan to open a PR soon if there is interest in this feature.
Updated by Jason Ish 7 months ago
Last time I asked a similar question, the answer was that specificity was preferred, and this lead to dns.answer.name
and dns.query.name
and I expect this to get more complete in time.
So I'd be keen to hear interest in this field.
Just a note: dns.response
is a little open in the naming department.
Updated by Nathan Scrivens 7 months ago ยท Edited
- Assignee changed from OISF Dev to Nathan Scrivens
Thanks for the feedback Jason.
Here is a little extra context. For our organization we are running in IPS mode, and are interested in triggering on any potential record in a DNS response message that could match our signatures / datasets.Needing to reference every individual field for each section will add complexity and replication to our signature set.
For example, we want to match on:
- question section: name field
- answer, authority, additional sections: name and rdata fields
This would be seven unique fields, which would translate to seven signatures just for DNS response traffic (even more if we want to have different signature / action combinations). It would be much simpler to have a generic way to fully match a DNS response.
I can see value in both implementations. Exposing unique fields for those who want to write a specific signature, but also having the option to match against all fields easily for those who want to match on everything possible in a response with a single signature.
The name isn't important, we could change that if you feel dns.response is too open. It seemed to me like a nice description, as the result is matching on the entire DNS response.
Updated by Nathan Scrivens 5 months ago
I have made progress on this, but it also has dependencies on: https://redmine.openinfosecfoundation.org/issues/7011
Once that feature is merged I'll be able to open a PR.
Do you have any other suggestions for a name if "dns.response" is too open?
Updated by Jason Ish 5 months ago
- Related to Feature #2448: Add additional buffers for DNS Responses added